1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy Official

2 Vanderbilt as a Hybrid Entity HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically. Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity. HIPAA regulations only apply to the Covered Entity functions.

3 Hybrid Entity Covered Entity Designation As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes: Vanderbilt Medical Center hospitals, clinics, and practices Vanderbilt Medical Group (VMG) Vanderbilt School of Medicine (SOM) Vanderbilt School of Nursing (SON) Vanderbilt Health Plan VUMC Administration for covered functions that involve the use and disclosure of PHI. In July of 2006, the VACE was expanded to include the affiliated entities for which VUMC has a controlling ownership interest or management accountable. Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VACE is determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.

4

5 Data Categories Individually Identifiable Health Information (IIHI) – information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual. Protected Health Information (PHI) – IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.

6 Data Categories Research Health Information (RHI) – a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA. IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.

7 WHAT PARTS OF RESEARCH ARE INSIDE THE HEALTHCARE COMPONENT OF THE HYBRID ENTITY? INSIDE THE HEALTHCARE COMPONENT PHI is health information created, used, and/or stored as a by- product of the delivery of health care services (stored in the designated record set) Human Subjects Research using PHI Clinical Trials Health Information created as RHI and conveyed to the medical record to support treatment purposes OUTSIDE THE HEALTHCARE COMPONENT Research Health Information is created, used, stored, or disclosed from a research data file or system distinctly separate from the patient’s medical record Animal and Basic Sciences Research Human Subjects Research not using PHI

8 PHI RHI (prepared by Daniel Masys, M.D.) PHI RHI HIPAA Authorization RHIPHI Research creates new information added to medical records Subject to HIPAA requirements (and potentially, penalties) Authorization converts PHI to RHI whose use is governed by terms of authorization or IRB waiver Internal disclosure

9 Data Handling Implications for PHI vs. RHI PHI is subject to the HIPAA for the Privacy Rule and the Security Rule. RHI is subject to best practices for maintaining confidentiality of research records, but not subject to HIPAA. Subsequent uses and disclosures of RHI are governed by the terms of the authorization or waiver, not by HIPAA.

10 Uses and Disclosures for Research HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections. PHI can be used or disclosed for research purposes if one of the following conditions is met: With a specific authorization signed by the patient With an IRB waiver of this authorization Under the “Preparatory to Research” criteria in IRB Policy X.A As a limited data set in conjunction with a Data Use Agreement As fully de-identified data For research on decedents Disclosures related to FDA-regulated products.

11 PHILimited Data SetDe- identified Data Waiver from IRB IRB waiver Exempt research, no PHI Accounting of disclosure NOT required Patient Authorization Disclosure Accounting IS REQUIRED or Requirements for Use or Disclosure of Data for Human Research IRB Exemption or and Data Use Agreement Accounting of disclosure is NOT required

12 If you have privacy or information security concerns or questions contact: Privacy Office ( ) or Help Desk ( ) Your manager Compliance Reporting Line ( ) Always forward patient privacy complaints to Patient Affairs ( ) or the Privacy Office.